RHADMIN
asked on
Problem adding a Server 2003 AD to an existing Server 2000 Forest
I'm trying to add a new Windows Server 2003 server to an existing Server 2000 forest and I'm having some problems. When I attempt to run dcpromo I get the following error:
-------------------------- ---------- ---------- ---------- ------
The operation failed because:
This Active Directory Installation requires domain configuration changes. Run the adprep /domainprep command on domain controller (null) to make these changes and then proceed with Active Directory insatllation.
"The server is unwilling to process the request."
-------------------------- ---------- ---------- ---------- ------
The forest currently contains only one domain controller which holds all FSMO roles as well as DNS. I've run "adprep /forestprep" as well as "adprep /domainprep" on the old DC. The log file for the /forestprep shows a successful completion but the /domainprep log doesn't show a concrete end. It doesn't say success or failure, it just ends. After I ran the /forestprep I recieved a success notice at the command prompt but when I ran the /domainprep I didn't get anything, it paused for about 10 seconds and then returned to a basic prompt.
Here are the last few lines from the /domainprep log:
-------------------------- ---------- ---------- ---------- ------
Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=d85c0bfd-094f-4cad-a2b5 -82ac92684 75d,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
LDAP API ldap_add_s() finished, return code is 0x0
Adprep successfully created the directory service object cn=d85c0bfd-094f-4cad-a2b5 -82ac92684 75d,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e -9fef2fab0 08a,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
LDAP API ldap_search_s() finished, return code is 0x20
Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e -9fef2fab0 08a,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D- 11D2-945F- 00C04FB984 F9},CN=Pol icies,CN=S ystem,DC=r hi,DC=ubc.
LDAP API ldap_search_s() finished, return code is 0x0
-------------------------- ---------- ---------- ---------- ------
One other detail that might have some relevance. I have two exchange servers currently running on the domain, one Exchange 2000 server (in the process of being decommisioned) and a new Exchange 2003 server which contains all active stores.
--------------------------
The operation failed because:
This Active Directory Installation requires domain configuration changes. Run the adprep /domainprep command on domain controller (null) to make these changes and then proceed with Active Directory insatllation.
"The server is unwilling to process the request."
--------------------------
The forest currently contains only one domain controller which holds all FSMO roles as well as DNS. I've run "adprep /forestprep" as well as "adprep /domainprep" on the old DC. The log file for the /forestprep shows a successful completion but the /domainprep log doesn't show a concrete end. It doesn't say success or failure, it just ends. After I ran the /forestprep I recieved a success notice at the command prompt but when I ran the /domainprep I didn't get anything, it paused for about 10 seconds and then returned to a basic prompt.
Here are the last few lines from the /domainprep log:
--------------------------
Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=d85c0bfd-094f-4cad-a2b5
LDAP API ldap_add_s() finished, return code is 0x0
Adprep successfully created the directory service object cn=d85c0bfd-094f-4cad-a2b5
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e
LDAP API ldap_search_s() finished, return code is 0x20
Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-
LDAP API ldap_search_s() finished, return code is 0x0
--------------------------
One other detail that might have some relevance. I have two exchange servers currently running on the domain, one Exchange 2000 server (in the process of being decommisioned) and a new Exchange 2003 server which contains all active stores.
ASKER
We did have an old DC that was improperly demoted previously. I used adsiedit and ntdsutil to remove it completely. I removed it from DNS, Sites and Services, Users and Computers, etc. That was all done before I attempted this dcpromo. The Domain Controler container only contains the one Win2k Server DC.
So just to confirm, there is only one DC showing using ntdsutil. It holds all of the FSMO roles as well as DNS. Replication shouldn't be an issue here should it?
There are no errors showing in Event Viewer.
So just to confirm, there is only one DC showing using ntdsutil. It holds all of the FSMO roles as well as DNS. Replication shouldn't be an issue here should it?
There are no errors showing in Event Viewer.
with windows 2003 R2 (release 2) you will need to run the adprep tools from the second cd supplied in the 2 cd set!
\CMPNENTS\R2\ADPREP
now this wasnt an imaged machine was it?
\CMPNENTS\R2\ADPREP
now this wasnt an imaged machine was it?
ASKER
I'll take a look Jay Jay.
This machine wasn't imaged but it may be in the future. Is there a reason not to?
This machine wasn't imaged but it may be in the future. Is there a reason not to?
unless you use sysprep with an image you will come accross problems if rolling it out to multiple machines
i had the same problem about a year ago with adprep and it was due to the SID's duplicated with an image
i had the same problem about a year ago with adprep and it was due to the SID's duplicated with an image
ASKER
It looks like we have release 1. The second disc is called "Diagnostic Tools" and doesn't have adprep on it. I've been running adprep from the main Server 2003 install disc.
ah k, so jsut normal server 2003. ok
did you have a run through the metadata cleanup?
did you have a run through the metadata cleanup?
ASKER
Yep, I ran that and the domain currently shows only one domain controller. adsiedit/users and computers also shows only one dc.
Aight, I will ask Netman66 to have a look as he has nailed these types of problems a few times
ASKER
Thanks Jay_Jay70, this is really driving me nuts.
i understand that, i think i would have gone mad and started again but there is an answer - i just don't know it!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok so I'm looking at the contents of the policies folder but it seems to be empty. I checked the permissions on the policies object itself and it shows full propagation from parent. The System, Enterprise and Domain admins all have full rights.
ASKER
The Policies OU also looks empty from inside ADSI edit. I must be missing something. I'm not seeing any GUIDs at all.
ASKER
At this stage I'm strongly considering starting from scratch. Would you agree that I've more or less exhausted my options Netman66?
Well, that's certainly an issue if the policies are missing.
How many DCs do you have? Can you check the Sysvol on each to see if any of these policies exist somewhere?
You may just need to run DCGPOFIX to recreate them - but beware if running Exchange.
Let us know.
How many DCs do you have? Can you check the Sysvol on each to see if any of these policies exist somewhere?
You may just need to run DCGPOFIX to recreate them - but beware if running Exchange.
Let us know.
ASKER
I found the policies in the sysvol and the one referenced at the end of the log file did indeed have insufficient rights set for the domain/enterprise admins. I corrected them and ran /domainprep again. It still doesn't seem to have run correctly.
Here's the end of the log:
-------------------------- ---------- ----
Adprep checked to verify whether operation cn=0e660ea3-8a5e-4495-9ad7 -ca1bd4638 f9e,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a86fe12a-0f62-4e2a-b271 -d27f601f8 182,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
LDAP API ldap_search_s() finished, return code is 0x0
Adprep checked to verify whether operation cn=a86fe12a-0f62-4e2a-b271 -d27f601f8 182,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d85c0bfd-094f-4cad-a2b5 -82ac92684 75d,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
LDAP API ldap_search_s() finished, return code is 0x0
Adprep checked to verify whether operation cn=d85c0bfd-094f-4cad-a2b5 -82ac92684 75d,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e -9fef2fab0 08a,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
LDAP API ldap_search_s() finished, return code is 0x20
Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e -9fef2fab0 08a,cn=Ope rations,cn =DomainUpd ates,cn=Sy stem,DC=rh i,DC=ubc.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D- 11D2-945F- 00C04FB984 F9},CN=Pol icies,CN=S ystem,DC=r hi,DC=ubc.
LDAP API ldap_search_s() finished, return code is 0x0
-------------------------- ---------- ----
As far as I can tell it didn't change anything. I'll try rebooting the server after hours tonight and run domainprep again.
Here's the end of the log:
--------------------------
Adprep checked to verify whether operation cn=0e660ea3-8a5e-4495-9ad7
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a86fe12a-0f62-4e2a-b271
LDAP API ldap_search_s() finished, return code is 0x0
Adprep checked to verify whether operation cn=a86fe12a-0f62-4e2a-b271
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d85c0bfd-094f-4cad-a2b5
LDAP API ldap_search_s() finished, return code is 0x0
Adprep checked to verify whether operation cn=d85c0bfd-094f-4cad-a2b5
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e
LDAP API ldap_search_s() finished, return code is 0x20
Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-
LDAP API ldap_search_s() finished, return code is 0x0
--------------------------
As far as I can tell it didn't change anything. I'll try rebooting the server after hours tonight and run domainprep again.
No, now that the permissions are correct you may want to try DCGPOFIX again to recreate the default policies - then - retry domainprep.
ASKER
I've been looking at DCGPOFIX, is there any concern that my established group policy might be changed when I run it? We don't use the default GPO for anything other than password policy and setting a couple of accounts to run as service (all security settings). Based on what I've read these settings shouldn't be changed. Is that correct?
Is there any danger that other GPOs will be edited?
Is there any danger that other GPOs will be edited?
Yes, this tool only affects the Default policies.
If you have GPMC, you may want to backup all your GPOs just in case.
If you have GPMC, you may want to backup all your GPOs just in case.
ASKER
Wow, the GPMC is a great tool. Thanks for the tip. I've backed up my GPOs and I'll be running DCGPOFIX tonight.
ASKER
I appologize for the delay. My time has been co-opted for another project. I'll be back to update this one in the next few days.
have you checked for any orphaned entries for domain controllers in the domain, any that might have been removed physically but still has entries on the DC.
if yes do a metadata cleanup.
===================
support.microsoft.com/kb/2
how many DC's ?
any errors reported in eventvwr ?